UTF8 question
Hi I can create certificates with UTF-8 Strings like this: X509_NAME_add_entry_by_txt ( pName, CN, MBSTRING_UTF8, ( unsigned char* ) subject.commonName.toUtf8(), -1, -1, 0 ); But how can I read back entries in the same encoding? X509_NAME_get_text_by_NID does not return UTF-8 and I cannot find a function where I can specify MBSTRING_UTF8. regards, Gerhard. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Linker errors on windows
Hello I tried to deactivate patented algorithms that are mentioned in README, but I get unresolved externals linker errors. I'm building this way: set OPTS=no-asm perl Configure disable-idea disable-rc4 disable-rc5 disable-ntt disable-mdc2 VC-WIN32 perl util\mkfiles.pl MINFO perl util\mk1mf.pl %OPTS% dll VC-WIN32 32dll.mak perl util\mkdef.pl 32 libeay ms\libeay32.def perl util\mkdef.pl 32 ssleay ms\ssleay32.def @if errorlevel 1 goto end nmake -f 32dll.mak :end Output: link /nologo /subsystem:console /opt:ref /dll /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOKUME~1\gergap\LOKALE~1\Temp\nm37D.tmp ms/LIBEAY32.def(7) : warning LNK4017: DESCRIPTION statement not supported for the target platform; ignored LIBEAY32.def : error LNK2001: unresolved external symbol d2i_Netscape_RSA LIBEAY32.def : error LNK2001: unresolved external symbol d2i_RSA_NET LIBEAY32.def : error LNK2001: unresolved external symbol i2d_Netscape_RSA LIBEAY32.def : error LNK2001: unresolved external symbol i2d_RSA_NET out32dll\libeay32.lib : fatal error LNK1120: 4 unresolved externals NMAKE : fatal error U1077: 'C:\Programme\Microsoft Visual Studio 8\VC\BIN\link.EXE' : return code '0x460' Stop. Building OpenSSL failed. Build failed Has somebody a tip how to solve this? regards, Gerhard. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Linker errors on windows
I don't trust binary releases from third partys. You never know if there is a backdoor in it. Beside this I want to be able to update my dlls whenever there is a bugfix of OpenSSL. What we need is to fix that issues. Is it possible to deactivate the code parts that are referencing RC4? If not we have to create our own patch to remove that. bagavathy raj schrieb: I think we are sailing in the same boat. I hit into exactly the same problem.if you try compiling without disabling rc4. You will not get those linking errors. But if we want to exclude all patented algorithms, then we need to look for specific build releases without these algorithms. On 6/16/08, Gerhard Gappmeier [EMAIL PROTECTED] wrote: Hello I tried to deactivate patented algorithms that are mentioned in README, but I get unresolved externals linker errors. I'm building this way: set OPTS=no-asm perl Configure disable-idea disable-rc4 disable-rc5 disable-ntt disable-mdc2 VC-WIN32 perl util\mkfiles.pl MINFO perl util\mk1mf.pl %OPTS% dll VC-WIN32 32dll.mak perl util\mkdef.pl 32 libeay ms\libeay32.def perl util\mkdef.pl 32 ssleay ms\ssleay32.def @if errorlevel 1 goto end nmake -f 32dll.mak :end Output: link /nologo /subsystem:console /opt:ref /dll /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOKUME~1\gergap\LOKALE~1\Temp\nm37D.tmp ms/LIBEAY32.def(7) : warning LNK4017: DESCRIPTION statement not supported for the target platform; ignored LIBEAY32.def : error LNK2001: unresolved external symbol d2i_Netscape_RSA LIBEAY32.def : error LNK2001: unresolved external symbol d2i_RSA_NET LIBEAY32.def : error LNK2001: unresolved external symbol i2d_Netscape_RSA LIBEAY32.def : error LNK2001: unresolved external symbol i2d_RSA_NET out32dll\libeay32.lib : fatal error LNK1120: 4 unresolved externals NMAKE : fatal error U1077: 'C:\Programme\Microsoft Visual Studio 8\VC\BIN\link.EXE' : return code '0x460' Stop. Building OpenSSL failed. Build failed Has somebody a tip how to solve this? regards, Gerhard. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- mit freundlichen Grüßen / best regards *Gerhard Gappmeier* ascolab GmbH - automation systems communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc -- *ascolab GmbH* Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß Sitz der Gesellschaft: Am Weichselgarten 7 . 91058 Erlangen . Germany Registernummer: HRB 9360 Registergericht: Amtsgericht Fürth
Re: linking errors on linux........!
Specifying -lssl is sufficient. libssl depends on libcrypto and so will be automatically linked indirectly to your app. e.g. gcc main.c -lssl -o sample will work. On Monday 16 June 2008 15:13:19 vinni rathore wrote: Hi.. first of all thanx as I got success using -lssl option with my file but could you please give me the whole procedure that why the linking errors?? how to link with the Library it needed .. i think in linux it require Libcrypto.so and libssl.so.. please provide me the steps.. thnx in advance regards, Vinni -- mit freundlichen Grüßen / best regards Gerhard Gappmeier ascolab GmbH - automation system communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to extract subjectAltName
Hi,
I try to read subjectAltName, but ASN1_STRING_to_UTF8 seems not to work.
For the X509_NAME entries the same procedure works,
but this ASN1_STRING seems to be different.
In the debugger I can already see the ASN1_STRING:
pString-length = 43
pString-type = 4
pString-data = 0)†
urn:x:bla‚ xxx
pString-flags = 0
Code snippet:
UaPkiCertificateInfo UaPkiCertificate::info() const
{
UaPkiCertificateInfo ret;
X509_EXTENSION *pExt;
char *pBuffer = 0;
int length = 0;
int loc = X509_get_ext_by_NID(m_pCert, NID_subject_alt_name, -1);
pExt = X509_get_ext(m_pCert, loc);
if (pExt)
{
ASN1_STRING *pString = X509_EXTENSION_get_data(pExt);
length = ASN1_STRING_to_UTF8((unsigned char**)pBuffer, pString);
ret.subjectAltName = pBuffer;
OPENSSL_free(pBuffer);
}
return ret;
}
regards,
Gerhard
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: How to extract subjectAltName
Thanks for that tip.
It works now this way:
UaPkiCertificateInfo UaPkiCertificate::info() const
{
UaPkiCertificateInfo ret;
X509_EXTENSION *pExt;
char *pBuffer = 0;
int length = 0;
GENERAL_NAMES *subjectAltNames;
subjectAltNames = ( GENERAL_NAMES* ) X509_get_ext_d2i ( m_pCert,
NID_subject_alt_name, NULL, NULL );
if ( subjectAltNames )
{
int numalts;
int i;
/* get amount of alternatives, RFC2459 claims there MUST be at least
one, but we don't depend on it... */
numalts = sk_GENERAL_NAME_num ( subjectAltNames );
/* loop through all alternatives */
for ( i=0; ( inumalts ); i++ )
{
/* get a handle to alternative name number i */
const GENERAL_NAME *pName = sk_GENERAL_NAME_value (
subjectAltNames, i );
switch ( pName-type )
{
case GEN_OTHERNAME:
break;
case GEN_EMAIL:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.eMail = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_DNS:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.DNS = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_X400:
break;
case GEN_DIRNAME:
break;
case GEN_EDIPARTY:
break;
case GEN_URI:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.URI = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_IPADD:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.IP = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_RID:
break;
}
}
}
return ret;
}
On Tuesday 17 June 2008 23:56:26 Goetz Babin-Ebell wrote:
GeneralNames *names;
STACK_OF(CONF_VALUE) *vals = sk_CONV_VALUE_new_null();
names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
if (names) {
/* you now can use OpenSSL to transform the names into
some printable format... */
i2v_GENERAL_NAMES(NULL, names, vals);
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
}
for(int i = 0; i sk_CONF_VALUE_num(vals); i++) {
CONF_VALUE *conf = sk_CONF_VALUE_value(vals, i);
ret.subjectAltName.appendNameValue(conf-name, conf-value);
}
sk_CONF_VALUE_pop_free(vals, CONF_VALUE_free);
--
mit freundlichen Grüßen / best regards
Gerhard Gappmeier
ascolab GmbH - automation system communication laboratory
Tel.: +49 9131 691 123
Fax: +49 9131 691 128
Web: http://www.ascolab.com
GPG-Key: http://www.ascolab.com/gpg/gg.asc
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: How to unsubsribe from OpenSSL Users ML
Ups, wrong address before. Send a message to [EMAIL PROTECTED] with the following text in the body. unsubscribe openssl-users For more info see below. I hope this helps you :-) -- Welcome to the openssl-users mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to [EMAIL PROTECTED] with the following command in the body of your email message: unsubscribe openssl-users or from another account, besides [EMAIL PROTECTED]: unsubscribe openssl-users [EMAIL PROTECTED] If you ever need to get in contact with the owner of the list, (if you have trouble unsubscribing, or have questions about the list itself) send email to [EMAIL PROTECTED] . This is the general rule for most mailing lists when you need to contact a human. Here's the general information for the list you've subscribed to, in case you don't already have it: This open mailing list is used for discussions between the OpenSSL users. Everyone can post. [EMAIL PROTECTED] schrieb: *i haven o tone idea what that means... i got out on this list by accident or type-o I have no way of looking at any of the thousands of emails i have rec'd and been able to find one thing i could understand. please HELP* -- mit freundlichen Grüßen / best regards *Gerhard Gappmeier* ascolab GmbH - automation systems communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc -- *ascolab GmbH* Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß Sitz der Gesellschaft: Am Weichselgarten 7 • 91058 Erlangen • Germany Registernummer: HRB 9360 Registergericht: Amtsgericht Fürth
Reference Counters in OpenSSL
Hi some functions like X509_PUBKEY_get increment the internal reference counter of the object so that EVP_PKEY_free( pKey ) has to be called. Other functions like X509_get_X509_PUBKEY just return an internal pointer and I have to care myself about reference counting. Is there a general rule or naming convention to know how to use that? Or is the only possibilty to figure that out debugging into the code? -- mit freundlichen Grüßen / best regards *Gerhard Gappmeier* ascolab GmbH - automation systems communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc -- *ascolab GmbH* Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß Sitz der Gesellschaft: Am Weichselgarten 7 . 91058 Erlangen . Germany Registernummer: HRB 9360 Registergericht: Amtsgericht Fürth
Re: How to unsubsribe from OpenSSL Users ML
Send a message to openssl-users@openssl.org with the following text in the body. unsubscribe openssl-users For more info see below. I hope this helps you :-) -- Welcome to the openssl-users mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to [EMAIL PROTECTED] with the following command in the body of your email message: unsubscribe openssl-users or from another account, besides [EMAIL PROTECTED]: unsubscribe openssl-users [EMAIL PROTECTED] If you ever need to get in contact with the owner of the list, (if you have trouble unsubscribing, or have questions about the list itself) send email to [EMAIL PROTECTED] . This is the general rule for most mailing lists when you need to contact a human. Here's the general information for the list you've subscribed to, in case you don't already have it: This open mailing list is used for discussions between the OpenSSL users. Everyone can post. [EMAIL PROTECTED] schrieb: *i haven o tone idea what that means... i got out on this list by accident or type-o I have no way of looking at any of the thousands of emails i have rec'd and been able to find one thing i could understand. please HELP* -- mit freundlichen Grüßen / best regards *Gerhard Gappmeier* ascolab GmbH - automation systems communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc -- *ascolab GmbH* Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß Sitz der Gesellschaft: Am Weichselgarten 7 • 91058 Erlangen • Germany Registernummer: HRB 9360 Registergericht: Amtsgericht Fürth
certificate signing authority is unknown or invalid
Hello I'm creating a self-signed x509 certificate with some extensions. I have to set DNS and URI in subjectAltName, keyUsage and extendedKeyUsage. Sample: subjectAltName = URI:opc.tcp://FOO:4840, DNS:FOO keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth If I do so I get an invalid certificate: certificate signing authority is unknown or invalid Without the extensions the certificate is valid. I think OpenSSL is missing some information of this extensions are present. The questions 1.) Do I have to set basicConstraints to CA:TRUE or CA:FALSE for a self-signed certificate? 2.) What extension is missing or wrong so that I can get valid certificate? -- mit freundlichen Grüßen / best regards Gerhard Gappmeier ascolab GmbH - automation system communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: certificate signing authority is unknown or invalid
You can see that error when you are opening the cert file in Konqueror or Windows Explorer. I just found out that it works when I'm adding the keyCertSign flag to keyUsage. But I don't understand the background why this is necessary. Is there any documentation available about this extensions? Kah Goh schrieb: Hi, So what are you doing to get the certificate signing authority is unknown or invalid? Is it an error from OpenSSL? What are you doing when you get this message? On 19/06/2008, *Gerhard Gappmeier* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: It's not the commandline. My own C++ programm creates the certificate using libssl. But it's also possible to create such files with the openssl commandline tool. the certicate data looks like that: D:\temp\ua_cert_gen\UA_X509v3_Extopenssl.exe x509 -inform DER -in WS_GERGAP.Opc.SimaticNET.S7.der -text Certificate: Data: Version: 3 (0x2) Serial Number: fe:f3:d8:c2:00:86:88:12 Signature Algorithm: md5WithRSAEncryption Issuer: CN=WS_GERGAP.Opc.SimaticNET.S7, DC=WS_GERGAP Validity Not Before: Jun 19 09:58:07 2008 GMT Not After : Jun 19 09:58:07 2009 GMT Subject: CN=WS_GERGAP.Opc.SimaticNET.S7, DC=WS_GERGAP Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:be:a4:4f:36:f9:e7:d0:15:b2:9f:2e:f1:33:31: 06:ee:d7:61:46:91:f7:ee:bd:22:72:06:db:17:9f: d8:83:a3:ee:67:0d:67:e0:1d:ea:b8:86:6e:b1:fe: 9c:49:8b:e3:75:ee:7e:0b:5c:03:5e:ac:06:76:25: 93:13:20:fe:e3:77:e5:c6:ce:58:fc:e3:b9:83:61: 7c:ae:34:d6:63:1a:0a:1e:12:5b:c5:ce:d4:be:8e: a6:b2:13:75:5f:27:c6:58:14:af:84:81:99:88:ef: 8a:fb:ab:13:08:2e:3b:fb:d5:cb:f3:20:fc:81:6c: 9e:9e:3d:d9:80:60:3a:93:15 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6B:CF:CD:B4:BD:0A:EB:FF:C1:DD:4E:D3:20:23:7E:58:64:11:FB:ED X509v3 Authority Key Identifier: keyid:6B:CF:CD:B4:BD:0A:EB:FF:C1:DD:4E:D3:20:23:7E:58:64:11:FB:ED DirName:/CN=WS_GERGAP.Opc.SimaticNET.S7/DC=WS_GERGAP serial:FE:F3:D8:C2:00:86:88:12 X509v3 Subject Alternative Name: URI:opc.tcp://WS_GERGAP:4845, DNS:WS_GERGAP Signature Algorithm: md5WithRSAEncryption 54:62:c1:a4:80:42:21:e9:be:94:a5:b0:ab:b3:13:4e:6b:a4: 8f:11:70:28:b6:9c:52:2a:aa:78:3a:aa:d2:cd:aa:10:1d:ad: e7:64:e4:0a:06:3b:9d:14:99:3b:83:3c:fe:75:18:48:a5:77: 8d:a5:d4:5c:57:31:52:80:0e:16:7b:22:ed:72:09:a3:21:7c: 2c:5c:ed:86:30:ef:29:f6:03:40:77:14:f0:03:fc:da:6f:0e: d5:5a:ac:c6:af:5a:ff:78:f0:ca:ba:4b:3b:93:23:78:8a:53: 85:70:63:10:95:69:21:86:72:4e:9d:87:c6:f6:b9:c4:a6:d5: 52:70 -BEGIN CERTIFICATE- MIIDLTCCApagAwIBAgIJAP7z2MIAhogSMA0GCSqGSIb3DQEBBAUAMEExJDAiBgNV BAMUG1dTX0dFUkdBUC5PcGMuU2ltYXRpY05FVC5TNzEZMBcGCgmSJomT8ixkARkW CVdTX0dFUkdBUDAeFw0wODA2MTkwOTU4MDdaFw0wOTA2MTkwOTU4MDdaMEExJDAi BgNVBAMUG1dTX0dFUkdBUC5PcGMuU2ltYXRpY05FVC5TNzEZMBcGCgmSJomT8ixk ARkWCVdTX0dFUkdBUDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvqRPNvnn 0BWyny7xMzEG7tdhRpH37r0icgbbF5/Yg6PuZw1n4B3quIZusf6cSYvjde5+C1wD XqwGdiWTEyD+43flxs5Y/OO5g2F8rjTWYxoKHhJbxc7Uvo6mshN1XyfGWBSvhIGZ iO+K+6sTCC47+9XL8yD8gWyenj3ZgGA6kxUCAwEAAaOCASswggEnMAkGA1UdEwQC MAAwCwYDVR0PBAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAs BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD VR0OBBYEFGvPzbS9Cuv/wd1O0yAjflhkEfvtMHEGA1UdIwRqMGiAFGvPzbS9Cuv/ wd1O0yAjflhkEfvtoUWkQzBBMSQwIgYDVQQDFBtXU19HRVJHQVAuT3BjLlNpbWF0 aWNORVQuUzcxGTAXBgoJkiaJk/IsZAEZFglXU19HRVJHQVCCCQD+89jCAIaIEjAu BgNVHREEJzAlhhhvcGMudGNwOi8vV1NfR0VSR0FQOjQ4NDWCCVdTX0dFUkdBUDAN BgkqhkiG9w0BAQQFAAOBgQBUYsGkgEIh6b6UpbCrsxNOa6SPEXAotpxSKqp4OqrS zaoQHa3nZOQKBjudFJk7gzz+dRhIpXeNpdRcVzFSgA4WeyLtcgmjIXwsXO2GMO8p 9gNAdxTwA/zabw7VWqzGr1r/ePDKuks7kyN4ilOFcGMQlWkhhnJOnYfG9rnEptVS cA== -END CERTIFICATE- Klarth schrieb: Hi, I'm wondering what is the command that you are using
Re: How to install PEM format Server Certificate in Windows Server 2003
Hi, 1.) your question is not an OpenSSL question, it's just a how to use windows problem. 2.) Windows normaly uses a built-in certificate store. 3.) If you have written the .Net app you should know what certificate store you are using. The default one that is used for web browsing (IE)? (Your app trusts everybody that is in the default store,e.g. signed by verisign) Or an own one with applications specific certificates? (You are controlling who is trusted) This depends on the kind of application. 4.) Managing certificates on windows is like always on Windows hidden in some strange GUI dialogs, whereas OpenSSL just uses the file system (which is much easier in my opinion). On WindowsXP I do it using the management console 1.) Start-Run: mmc 2.) File-Add Snap-in 3.) Choose certificates, select computer acccount 4.) Finish the dialogs and then you should see the Windows Certificate Store with all its categories. Here you can import certificates via the context menu All Tasks-Import I hope this helps you. Woo, Swee Hong schrieb: Hi, I have an application that need to have TLS 1.0 connection. CA root certificate is created and install into client terminal. Then from the CA Root Cert, create the Server Certificate and install into my application server. Both cert created in PEM format. Now my problem is how to install the Server Certificate into my OS which is Windows Server 2003. My apps is wriiten in .Net. Then after install, how to initiate the TLS connection with my client terminal? regards, SweeHong -- mit freundlichen Grüßen / best regards *Gerhard Gappmeier* ascolab GmbH - automation systems communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc -- *ascolab GmbH* Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß Sitz der Gesellschaft: Am Weichselgarten 7 . 91058 Erlangen . Germany Registernummer: HRB 9360 Registergericht: Amtsgericht Fürth
Re: Certificate validation problem
Thanks Dave, today I rechecked the dump of the certificates which cause the problem. The AUTHORITY_KEYID was really missing in them. They were created using some MS .Net stuff. My certificates which I create with openssl work fine. I told the guy who created the wrong certificates about the missing field. In our protocol this field is mandatory because our commonNames are not always unique. On Friday 10 October 2008 02:03:44 Dave Thompson wrote: -Original Message- From: [EMAIL PROTECTED] On Behalf Of Gerhard Gappmeier Sent: Wednesday, 08 October, 2008 08:14 I've a problem with validating self-signed certificates. In my use case it's possible (but unlikely) to have multiple self-signed certificates with the same commonName. More to the point, they are root CA certs -- selfsigned, AND used to sign child certs. Your problem is with child linkage, not selfsigned as such. In the used protocol the URI field in subjectAltName fulfills the purpose of distinguishing the application instances. That appears to be irrelevant. When validating a certificate using X509_verify_cert it seems that OpenSSL finds the wrong certificate in the store due to the same commonName and then the validation fails. As far as I understood the code - but I'm not sure - the problem is, that X509_check_issued() that is called indirectly by find_issuer() doesn't check the certificate serial number when searching for the issuer certificate and only looks for the commonName. This happens because no AUTHORITY_KEYID (subject-akid) is available in the subject structure. (why?) See the screenshot for details. Your screenshot came out totally illegible, at least for me. AKID is an optional extension, with several optional subformats. Do you have a copy (e.g. in a file) of the cert you want to validate i.e. the subject=child cert? If so, check the extension is present, and has (child.)AKID.keyid = parent.subjkeyid and/or (child.)AKID.(issuer+serial) = parent.(issuer+serial) . How did you obtain, or create, the child cert? (Commercial CA, inhouse CA, openssl CA.pl, openssl commandline, etc.) The certificate of course has a serial number so I want this to be checked when looking up a certificate in the store. Which cert? When you want to look up the parent you need attributes of the parent, not the child. If you want to look up the parent by issuer+serial (serial alone is not enough) (although in this case parent is selfsigned so its issuer and subject are the same), use child.AKID.(issuer+serial) as above. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
License Question
Hi, if OpenSSL is included in hardware e.g. in a PLC, where should the copyright notice go? The hardware has no user interface with an about box or something like that. So the only place that remains would be the PLC manual. Would it be enough to write the following acknowledgement from the OpenSSL license This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) in the PLC manual? -- mit freundlichen Grüßen / best regards *Gerhard Gappmeier* ascolab GmbH - automation systems communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc -- *ascolab GmbH* Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß Sitz der Gesellschaft: Am Weichselgarten 7 • 91058 Erlangen • Germany Registernummer: HRB 9360 Registergericht: Amtsgericht Fürth signature.asc Description: OpenPGP digital signature
[openssl-users] How to use EVP_aes_256_cbc_hmac_sha256
Hi, I'm trying to use EVP_EncryptUpdate() with EVP_aes_256_cbc_hmac_sha256() to speed up encryption. This "stiched" version should be faster than first hashing and then encrypt the data. See also https://software.intel.com/sites/default/files/open-ssl-performance-paper.pdf for some background. However I don't see a way to configure the offset between the data to be signed and the data to be encrypted. In my protocol (not TLS) we have a header of 16 byte that gets signed, but not encrypted. Some ASCII art to explain this (use fix size font to view this): /signed---\ |header|seqheader|body|padding|signature| \encrypted---/ I debugged already "openssl speed -evp aes-256-cbc-hmac-sha256" but this looks for me like the same data is signed and encrypted, and no offset is used. Is it possible somehow to define such a offset? I was expecting that the same is necessary for TLS, but I'm not a TLS expert :-) regards, Gerhard. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
